University Timetable Management System

---

RESTful API for managing a university's timetable system Backend

Table of contents

• Installation
• Functional Requirements
  • User Roles and Authentication
  • Course Management
  • Timetable Management
  • Room and Resource Booking
  • Student Enrollment
  • Notifications and Alerts
• Non-Functional Requirements
• Testing
  • Unit Testing
  • Integration Testing
  • Security Testing
  • Performance Testing

Installation

To run this project locally, follow these steps:

1. Create a New Folder Open it

2. Press Alt + D to select the address bar.

3. Type cmd and press Enter. This will open a command prompt window with the current folder as its location. (this method will open a command prompt window with the directory set to the folder you specified, allowing you to run commands directly in that folder)

4. Clone the repository to your local machine using Git:

git clone github_repo_link

5. Navigate to the project directory

cd backend

6. Install the project dependencies using npm.

npm i

7. run

npm start

---

Tech Stack

• Node.js
• Express.js
• MongoDb
• JavaScript

Aditional Dependencies

• jsonwebtoken for session management.
• bcrypt for Hashing passwords.
• Winston Logger for Log critical information for audit and diagnostic purposes.
• Jest for Unit Testing.
• Helmet js helps secure Express apps by setting HTTP response headers.
• OWASP ZAP proxy security for testing
• Postman API end point check and integration testing
• artillery.io for performance testing.

Functional Requirements

1. User Roles and Authentication:

• Define multiple user roles (e.g., Admin, Faculty, Student) with different access levels.
• Implement secure login functionality and session management using JWT.

2. Course Management:

• Allow CRUD operations on courses, including course name, code, description, and credits.
• Enable Admins to assign Faculty to courses.

3. Timetable Management:

• Facilitate the creation and modification of weekly timetables for different courses.
• Include functionality to add, update, and delete class sessions, specifying the course, time, faculty, and location.

4. Room and Resource Booking:

• Manage classrooms and resources (e.g., projectors, labs) availability.
• Allow booking of rooms and resources for classes or events, ensuring no overlaps.

5. Student Enrollment:

• Enable students to enroll in courses and view their timetables.
• Allow Faculty and Admins to view and manage student enrollments in courses.

6. Notifications and Alerts:

• Implement a system to notify users of timetable changes, room changes, or important announcements.

---

Request methods

The request method is the way we distinguish what kind of action our endpoint is being "asked" to perform. For example, GET pretty much gives itself. But we also have a few other methods that we use quite often.

Method	Description
GET	Used to retrieve a single item or a collection of items.
POST	Used when creating new items e.g. a new user, post, comment etc.
PATCH	Used to update one or more fields on an item e.g. update e-mail of user.
PUT	Used to replace a whole item (all fields) with new data.
DELETE	Used to delete an item.

User Roles and Authentication

User Register

Method	URL	Description
POST	http://localhost:8080/api/v1/users/	Create a new User Registration.

• Validate fields to ensure data integrity.
• Password validation rules enforce requirements such as containing at least one uppercase letter, one special character, and one number. Implement password complexity validation using Joi.
• Alert when a user with the given email already exists.
• Implement password hashing for security purposes.

User Login

Method	URL	Description
POST	http://localhost:8080/api/v1/auth/	User Login.

• Inform users of invalid email or password during login attempts."
• After a successful login, a token will be generated with an expiration time.

Role Access

Method	URL	Description
GET	http://localhost:8080/api/v1/users/admin/dashboard	Access Granted Admin Dashbord
GET	http://localhost:8080/api/v1/users/faculty/dashboard	Access Granted Faculty Dashbord
GET	http://localhost:8080/api/v1/users/student/dashboard	Access Granted Student Dashbord

• The authorized user’s token. This is used to gain access to protected endpoint.

Header key	Value	Value
Authorization	Bearer GeneratedToken	After a Successful loging Generates a token with limited expire time use that as the token.

Course Management

Course

Method	URL	Description
GET	http://localhost:8080/api/v1/courses/	Retrieve all course.
POST	http://localhost:8080/api/v1/courses/	Create a new User Registration.
POST	http://localhost:8080/api/v1/courses/:id/assign-faculty	Assign Faculty to Course.
GET	http://localhost:8080/api/v1/courses/:id	Retrieve course by ID.
PATCH	http://localhost:8080/api/v1/courses/:id	Update course by ID.
DELETE	http://localhost:8080/api/v1/courses/:id	Delete course by ID.

• To assign faculty to course login as admin, use the generated token

Timetable Management

Timetables

Method	URL	Description
GET	http://localhost:8080/api/v1/timetables/	Retrieve all Timetables.
POST	http://localhost:8080/api/v1/timetables/	Create a new Timetable.
GET	http://localhost:8080/api/v1/timetables/:id	Retrieve Timetable by ID.
PATCH	http://localhost:8080/api/v1/timetables/:id	Update Timetable by ID.
DELETE	http://localhost:8080/api/v1/timetables/:id	Delete Timetable by ID.

• When time table updateed Locate enrolled students for the updated courses on a daily basis and send out notifications.

Room and Resource Booking

Classroom

Method	URL	Description
GET	http://localhost:8080/api/v1/classrooms/	Retrieve all Classrooms.
POST	http://localhost:8080/api/v1/classrooms/	Create a new Classroom.
GET	http://localhost:8080/api/v1/classrooms/:id	Retrieve Classroom by ID.
PATCH	http://localhost:8080/api/v1/classrooms/:id	Update Classroom by ID.
DELETE	http://localhost:8080/api/v1/classrooms/:id	Delete Classroom by ID.

Resource

Method	URL	Description
GET	http://localhost:8080/api/v1/resources	Retrieve all Resources.
POST	http://localhost:8080/api/v1/resources	Create a new Resources.
GET	http://localhost:8080/api/v1/resources/:id	Retrieve Resources by ID.
PATCH	http://localhost:8080/api/v1/resources/:id	Update Resources by ID.
DELETE	http://localhost:8080/api/v1/resources/:id	Delete Resources by ID.

Booking

Method	URL	Description
GET	http://localhost:8080/api/v1/bookings	Retrieve all Bookings.
POST	http://localhost:8080/api/v1/bookings/	Create a new Bookings.
GET	http://localhost:8080/api/v1/bookings/:id	Retrieve Bookings by ID.
PATCH	http://localhost:8080/api/v1/bookings/:id	Update Bookings by ID.
DELETE	http://localhost:8080/api/v1/bookings/:id	Delete Bookings by ID.

• The classroom has a specific capacity; when assigning resources, ensure it does not exceed this capacity. Additionally, check if the classroom is already booked for the specified date and time, and verify if any of the resources are already reserved for the same date and time.

• Check if total resource capacity exceeds classroom capacity.
• Check if classroom is already booked for the specified date and time.
• Check if any of the resources are already booked for the specified date and time.

Student Enrollment

Enroollment

Method	URL	Description
GET	http://localhost:8080/api/v1/enrollments/	Retrieve all Enrollments Only Admin and Faculty have Access.
POST	http://localhost:8080/api/v1/enrollments/	Create a new Enrollment.
GET	http://localhost:8080/api/v1/enrollments/timetable	Retrieve timetable for enrolled students.
PATCH	http://localhost:8080/api/v1/enrollments/:id	Update Enrollment By ID Permisson only for Admin and Faculty.
DELETE	http://localhost:8080/api/v1/enrollments/:id	Delete Enrollment By ID Permisson only for Admin and Faculty.

• Only enrolled students have access to the timetable.
• Faculty and admins are granted permission to view and manage student enrollments in courses

Notifications and Alerts

Notification

Method	URL	Description
GET	http://localhost:8080/api/v1/notifications/	Retrieve all Notifications accessible only by Admin and Faculty.
POST	http://localhost:8080/api/v1/notifications/	Create a new Notifications accessible only by Admin and Faculty.
GET	http://localhost:8080/api/v1/notifications/:Userid	Retrieve Notification By UserID.
PATCH	http://localhost:8080/api/v1/notifications/:id	Update Notifications accessible only by Admin and Faculty.
DELETE	http://localhost:8080/api/v1/notifications/:id	Delete Notifications accessible only by Admin and Faculty.

• Notify users about timetable changes, room changes, or important announcements.
• Admins and faculty members can update and delete notifications by ID.

HTTP Response Status Codes

One of the most important things in an API is how it returns response codes. Each response code means a different thing and consumers of your API rely heavily on these codes.

Code	Title	Description
200	OK	When a request was successfully processed (e.g. when using GET, PATCH, PUT or DELETE).
201	Created	Every time a record has been added to the database (e.g. when creating a new user or post).
304	Not modified	When returning a cached response.
400	Bad request	When the request could not be understood (e.g. invalid syntax).
401	Unauthorized	When authentication failed.
403	Forbidden	When an authenticated user is trying to perform an action, which he/she does not have permission to.
404	Not found	When URL or entity is not found.
440	No accept header	When the required "Accept" header is missing from the request.
422	Unprocessable entity	Whenever there is something wrong with the request (e.g. missing parameters, validation errors) even though the syntax is correct (ie. 400 is not warranted).
500	Internal server error	When an internal error has happened (e.g. when trying to add/update records in the database fails).
502	Bad Gateway	When a necessary third party service is down.

---

Non-Functional Requirements

1. Security

   • hashing passwords using bcrypt
   • When store passwords in a database, it's important to store them securely to prevent unauthorized access. Simply storing passwords in plain text is a significant security risk because if the database is compromised, all passwords would be exposed.
   • using bcrypt to hash it along with a random salt, and storing the resulting hash and salt securely in a database.

   

• Helmet Js
  • Helmet js helps secure Express apps by setting HTTP response headers.
  • By adding app.use(helmet()), Helmet.js is now applied as middleware to Express application. This will automatically set various HTTP headers to secure application against common vulnerabilities, such as Cross-Site Scripting (XSS), Clickjacking, and other.

• Enhanced Security: Shields against common API vulnerabilities.
• Attack Prevention: Guards against XSS, CSRF, and more.
• XSS & CSRF Protection: Blocks script injections and request forgery.
• Content Security Policy (CSP): Defines trusted content sources, preventing injection attacks.
• MIME Sniffing Prevention: Stops browsers from serving malicious content.
• Referrer Policy Control: Manages referrer information to prevent data leakage.
• NoCache Middleware: Ensures sensitive API responses aren't cached for data privacy.
• Easy Integration: Quick setup with Express.js for immediate security boosts.
• Ongoing Updates: Actively maintained for continuous protection against evolving threats.

• Before Adding Helmet js

• After Adding Helmet js

2. Database Design.

3. Code Quality and Documentation.
4. Error Handling and Logging Used Winston logger to Log critical information for audit and diagnostic purposes.

---

Testing

Unit Testing

Implement unit tests for individual components and functions to validate their behavior in isolation.

• updated .env for New Database for testing perpose.

DB =mongodb+srv://vishwaud:[email protected]/unittest?retryWrites=true&w=majority&appName=ClusterX

• Setting up Jest for unit testing
• Install Dependencies.

  npm install jest supertest --save-dev
  npm i jest supertest cross-env
  

• Update Package.JSON.

  "scripts": {
    "test": "cross-env NODE_ENV=test jest --testTimeout=5000",
    "start": "nodemon server.js"
  },
  

• Create a Folder Name test. then create a file there called example.test.js.
• Then Write Unit Test Cases.
• Run Test cases

  npm test filename.test.js
  

Comprehensive unit tests covering all components.

Register User

Login User

Course

Timetable

Classroom

Resource

Bookings

Enrollments

Notifications

---

Integration Testing

Integration testing with Postman involves sending HTTP requests to API endpoints and verifying that the responses match the expected behavior.

• Install Postman
• Create a new Collection
• Add Requests to the Collection
  • Choose the HTTP method (GET, POST, PUT, DELETE, etc.) that corresponds to the endpoint you want to test.
• Define Tests in Test section Write Test Script.
• go to collection then run tab.
• Run Integration Tests

integration Test using Postman Link to document.

---

Security Testing

• OWASP Zap

1. Start OWASP ZAP on your system.
2. Configure ZAP Proxy:

• Navigate to the "Tools" menu and select "Options."
• Under the "Local Proxy" section, note the IP address and port number where ZAP is listening for proxy requests set localhost 8081.

3. Configure Postman file Settings (ctrl + comma) Proxy use coustom proxy configaration localhost 8081.
4. Explore APIs Send request from postman.

• Access the APIs you want to test using postman.

5. Spider the APIs

• In ZAP, go to the "Spider" tab.
• Enter the base URL of the APIs and click "Start Scan.".

6. Active Scan:

• After spidering is complete, go to the "Active Scan" tab.
• Click on "Start Scan" to begin the active scanning process.

7. Review Scan Results:

• Once the scan is complete, navigate to the "Alerts" tab.

8. Generate Reports:

• ZAP allows you to generate reports summarizing the findings of your security testing.
• Go to the "Report" tab.

---

Performance Testing

• Install Atrillert.io

npm install -g artillery

• sample test:

config:
  target: http://localhost:8080
  phases:
    - duration: 20
      arrivalRate: 5
      name: Startup phase
scenarios:
  - flow:
    - get:
        url: "/api/v1/courses"

• example: run performance test

npx artillery run performance/demo_api_load.yml

• Generate report

npx artillery run performance/demo_api_load.yml --output performance/report.json

• HTML Format

npx artillery report performance/report.json --output performance/report.html

• Performance test by Artillery

• Performance test by postman.

---